Skip to content
Latchkey

Build & Publish Package workflow (emdgroup/baybe)

The Build & Publish Package workflow from emdgroup/baybe, explained and optimized by Latchkey.

C

CI health: C - fair

Point runs-on at Latchkey and get caching, job timeouts, self-healing for flaky steps, and up to 58% lower cost, applied automatically.

Grade your own workflow free or run it on Latchkey →
Source: emdgroup/baybe.github/workflows/release.ymlLicense Apache-2.0View source

What it does

This is the Build & Publish Package workflow from the emdgroup/baybe repository, a real project running GitHub Actions. It is shown here with attribution under its Apache-2.0 license.

Below, Latchkey shows a faster, safer version produced by its optimization engine.

The workflow

workflow (.yml)
name: Build & Publish Package

on:
  push:
    tags: 
      - '*'
  release:
    types:
      - published
      
concurrency:
  group: ${{ github.event_name }}_${{  github.ref_name }}

permissions:
  contents: read

jobs:
  # Build and verify wheels
  build:
    name: Build & Verify Package
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
        with:
          fetch-depth: 0
          persist-credentials: false
      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
        with:
          python-version: "3.14"
      - name: Clean
        run: |
          python -c 'import shutil; [shutil.rmtree(p, True) for p in ("build", "dist")]'
          python -c 'import pathlib, shutil; [shutil.rmtree(p, True) for p in pathlib.Path(".").glob("*.egg-info")]'
      - name: Create Wheel and Dist
        run: |
          pip install build
          python -m build --sdist --wheel --outdir dist/ .
          ls -lat dist
      - name: Check Wheel
        shell: bash
        run: |
          pip install check-wheel-contents     
          check-wheel-contents dist/*.whl
      - name: Upload Artifact
        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
        with:
          name: Dist_${{  github.ref_name }}
          path: dist

  # Upload to Test PyPI on every tag
  release-test-pypi:
    needs: build
    name: Publish PyPI TEST
    environment: release-test-pypi
    if: github.repository_owner == 'emdgroup' && github.event_name == 'push' && startsWith(github.ref, 'refs/tags')
    runs-on: ubuntu-latest
    permissions:
      contents: read
      id-token: write  # Required for OIDC authentication to Test PyPI
    steps:
      - name: Download packages built
        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
        with:
          name: Dist_${{  github.ref_name }}
          path: dist
      - name: Upload package to Test PyPI
        uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # release/v1
        with:
          repository-url: https://test.pypi.org/legacy/
          attestations: true

  # Upload to real PyPI on GitHub Releases.
  release-pypi:
    needs: build
    name: Publish PyPI PROD
    environment: release-pypi
    if: github.repository_owner == 'emdgroup' && github.event.action == 'published'
    runs-on: ubuntu-latest
    permissions:
      contents: read
      id-token: write  # Required for OIDC authentication to PyPI
    steps:
      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
        id: setup-python
        with:
          python-version: '3.14'
      - name: Install test-package
        env:
          REF_NAME: ${{ github.ref_name }}
        run: |
          pip install --index-url https://test.pypi.org/simple/ --extra-index-url https://pypi.org/simple/ baybe=="$REF_NAME"
      - name: Download packages built
        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
        with:
          name: Dist_${{  github.ref_name }}
          path: dist
      - name: Upload package to PyPI
        uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # release/v1
        with:
          attestations: true

The same workflow, on Latchkey

Estimated ~20% faster on cache hits, plus fewer wasted runs and a safer supply chain. Added and changed lines are highlighted.

name: Build & Publish Package
 
on:
  push:
    tags: 
      - '*'
  release:
    types:
      - published
      
concurrency:
  group: ${{ github.event_name }}_${{  github.ref_name }}
 
permissions:
  contents: read
 
jobs:
  # Build and verify wheels
  build:
    timeout-minutes: 30
    name: Build & Verify Package
    runs-on: latchkey-small
    steps:
      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
        with:
          fetch-depth: 0
          persist-credentials: false
      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
        with:
          cache: 'pip'
          python-version: "3.14"
      - name: Clean
        run: |
          python -c 'import shutil; [shutil.rmtree(p, True) for p in ("build", "dist")]'
          python -c 'import pathlib, shutil; [shutil.rmtree(p, True) for p in pathlib.Path(".").glob("*.egg-info")]'
      - name: Create Wheel and Dist
        run: |
          pip install build
          python -m build --sdist --wheel --outdir dist/ .
          ls -lat dist
      - name: Check Wheel
        shell: bash
        run: |
          pip install check-wheel-contents     
          check-wheel-contents dist/*.whl
      - name: Upload Artifact
        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
        with:
          name: Dist_${{  github.ref_name }}
          path: dist
 
  # Upload to Test PyPI on every tag
  release-test-pypi:
    timeout-minutes: 30
    needs: build
    name: Publish PyPI TEST
    environment: release-test-pypi
    if: github.repository_owner == 'emdgroup' && github.event_name == 'push' && startsWith(github.ref, 'refs/tags')
    runs-on: latchkey-small
    permissions:
      contents: read
      id-token: write  # Required for OIDC authentication to Test PyPI
    steps:
      - name: Download packages built
        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
        with:
          name: Dist_${{  github.ref_name }}
          path: dist
      - name: Upload package to Test PyPI
        uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # release/v1
        with:
          repository-url: https://test.pypi.org/legacy/
          attestations: true
 
  # Upload to real PyPI on GitHub Releases.
  release-pypi:
    timeout-minutes: 30
    needs: build
    name: Publish PyPI PROD
    environment: release-pypi
    if: github.repository_owner == 'emdgroup' && github.event.action == 'published'
    runs-on: latchkey-small
    permissions:
      contents: read
      id-token: write  # Required for OIDC authentication to PyPI
    steps:
      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
        id: setup-python
        with:
          cache: 'pip'
          python-version: '3.14'
      - name: Install test-package
        env:
          REF_NAME: ${{ github.ref_name }}
        run: |
          pip install --index-url https://test.pypi.org/simple/ --extra-index-url https://pypi.org/simple/ baybe=="$REF_NAME"
      - name: Download packages built
        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
        with:
          name: Dist_${{  github.ref_name }}
          path: dist
      - name: Upload package to PyPI
        uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # release/v1
        with:
          attestations: true
 

What changed

What Latchkey heals here

This workflow has steps that commonly fail on transient issues (network, registries, flaky browsers). On Latchkey managed runners they are detected, retried, and self-healed instead of failing your build:

This workflow runs 3 jobs per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.

Actions used in this workflow